Getting Data In

How to configure the Heavy Forwarder to recieve syslog events and forward them to indexer


Windows 2016 / Spunk

Today I have installed Splunk and configured it as heavy forwarder ref. Currently I'm able to search the _internal index and see the splunkd.log events from the host, so forwarding and recieving should be just fine.

On the heavy forwarder I have defined a TCP port 514 without host limitations. Sourcetype and index is also defined. 

connection_host = dns
index = network
sourcetype = bluecoat:proxysg:access:syslog

But when searching the index from the searchhead I'm not able to see any syslog events. I do assume that our network administrator has defined the proxy to send syslog to correct servername/port, but just in case I do also use the Kiwi Syslog Message Generator to test sending messages as well but ... nothing. Searching for the message text: nothing, source ip: nothing. 

I'm on Windows, so using netstat | findstr 514 I do see that there is a connetction from the server which I use to send the test message from.  A bit lost right now....

Labels (2)
0 Karma


I do see that you are using Windows (sorry about that), but the best option that I have ever seen for syslog data is the Splunk Connect for Syslog app available from Splunkbase. It would be installed on a Linux server, so if your environment doesn't support Linux, or you have no clue how to use a Linux machine, then you would not want to use it. It doesn't require an HF to send the data to splunk, only an HEC endpoint (whether that is an HF or an indexer (or cluster), so it is light weight and fast (I've had 4 times the throughput of a UF and 20 times the throughput of an HF on the same server using this method and still not maxed out the server). I would seriously look into this method. Syslog straight into a splunk machine is not a good idea, you will have packet loss if you do. Splunk is slow to restart, so any time you try to update or restart that type of HF you will get packet loss during that whole time.

Something to think about.

0 Karma


For the time being I'm stuck on Windows, to bad because the Splunk Connect for Syslog looks pretty amazing. 

But - after a couple of hours not looking into the issue, and then giving it a second try I realized that the config I have created will not send the data from the HF to both targets, but only one of them. Commenting out the config in props.conf, outputs.conf and transforms.conf and ... ok, now the HF forwards to the indexer. That was plain and simple. Will create a new question for the follow up topic. 

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...